OnTheFly
OnTheFly is a Visual Basic Script worm. The worm was created with a worm construction kit. This worm stands out because virus and worm construction kits rarely produce working code, but rather broken, intended code. It is probably most famous for its social engineering tactic, using the promise of pictures of the famous tennis star, Anna Kournikova, to entice victims to run the worm. Payload OnTheFly comes in an email attachment with the subject line "Here you have, ;o)" and body text "Hi: line Check This!". The attachment is a 2,853 byte-long .VBS file named AnnaKournikova.jpg.vbs, encouraging the recipient to open it with the promise of a picture of the tennis star. When executed, the virus creates a Current User registry key, \Software\OnTheFly\mailed. The worm will check the value set to the registry key for the number "1" which signifies the mailing routine has been performed. If not, the worm mails itself to every email address in the Outlook Address Book and then adds the "1". After performing the mailing routine, the worm continues to run. If the date is January 26, OnTheFly tries to open a web page from the Netherlands (http://www.dynabyte.nl). Effects As OnTheFly has no deliberately malicious payload, its ability to cause damage is mostly limited to taking up space in mailboxes and consuming system resources. Millions of computers were supposedly infected with the worm, but the FBI only turned up 55 that claimed any losses. The largest figure for the damage toll of the worm is $166,827. Creator The creator, Jan de Wit, was a 20 year-old student and computer shop employee from the town of Sneek, Netherlands. De Wit did not actually know how to program on a computer, and used a VBS virus generator toolkit. He turned himself in on February 13, 2001, saying he had no intention of causing such damage. De Wit wrote a personal statement on the same day. De Wit was sentenced to 150 days of community service. The Mayor of Sneek offered him an IT Job. Name The official Virus Encyclopedia name for the worm is OnTheFly. De Wit himself named the worm VBS.OnTheFly, but did not really care what the media called it. While most of the media referred to the worm as some variation of Anna Kournikova's name, others did refer to it as OnTheFly. Some antivirus products refer to the worm as VBS/VBSWG, usually with a variant letter, standing for "Visual Basic Script Worm Generator". Antivirus Aliases Virus Encyclopedia full name: Worm/Email/VBS/OnTheFly *CA: VBS.VBSWG.J *F-Prot: VBS/VBSWG.J@mm *F-Secure: VBS/OnTheFly@mm *Kaspersky: VBS.VBSWG-based *McAfee: VBS/SST@MM or VBS/VBSWG.gen@MM *MKS: VBS.OnTheFly *Panda: VBS/SST-A *Sophos: VBS/SST-A *Trend Micro: VBS_KALAMAR.A Sources Jan de Wit's personal statement McAfee Antivirus, VBS/VBSWG.gen@MM Eric Chien. Symantec, VBS.SST@mm John Leyden. The Register, "Anna Kournikova virus spreading like wildfire". 2001.09.12 -. -, "Anna Kournikova bug drops harmlessly onto the Net". 2001.09.13 Robert Blincoe. -, "Kournikova virus kiddie gets 150 hours community service" 2001.09.27 James Middleton. "Anna virus writer offered IT job" 2001.09.20 Robert Lemos, Hernan Alijo. CNET News.com, ""Anna" virus toolkit pulled from Net" 2001.02.15 CNN Archive, "Man charged over Kournikova virus". 2001.02.14 Category:Worm Category:Mass mailer worm Category:Social engineer Category:VBS Category:Email worm Category:Win32 Category:Win32 worm Category:Microsoft Windows